Newsletter

Navy shooting highlights gaps in military access control systems

Experts: Federal system needs better monitoring

Common Access Card front

Common Access Card back

The smart cards Fort Gordon uses to grant civilian contractors extended gate access is part of a federal security network that national experts said has grown so large it is vulnerable to sociopaths and tech-savvy criminals who steal or copy clearance passes to gain entry into highly secured areas.

The common-access card Aaron Alexis flashed to bypass guards and metal detectors at the Washington Navy Yard on Sept. 16 to go on a killing spree was developed in 2002 as a cost-effective way to increase physical security at federal buildings as the war on terrorism loomed.

However, the passes, which contain a microchip, barcodes and a magnetic stripe to allow access to controlled spaces, computer systems and network servers, have become so widespread nearly seven million people at more than 700 U.S. facilities have a badge.

While contractors and software technicians agreed many of the security improvements adopted after 9/11 were not created with mentally-ill individuals in mind, they said all the required tools and infrastructure is in place to keep military installations such as Fort Gordon safe from terrorists and spies.

They said it just needs stronger oversight and implementation.

“The opportunity exists to step up security,” said Tom Corder, the president of BridgePoint Systems, the San Francisco-based security solutions firm that helped the Pentagon design and produce the military’s access-control network.

In a phone interview last week, Corder said that the Navy probably has the best physical security program in U.S. government, but it was not being implemented properly.

He said the Defense Department “rarely uses” the encryption technology his firm built into common-access cards to enable users to securely and privately exchange data on an unsecured public network, such as the Internet.

The infrastructure, among other things, verifies a cardholder’s identity and confirms that no unauthorized modification of data has occurred.

“In the Navy Yard incident, it turns out that this was just a person who went bad, but it could have also been someone who found or stole a common-access card, or possibly copied one electronically, which can be done and was initially theorized as what had happened,” Corder said.

Corder said the cryptographic tools that are on the card and in the access-control system could detect any copying or tampering and deny a person access. However he could not say whether the system is being fully implemented at Fort Gordon, or whether the Pentagon plans to retrain the supervisors who managed the system.

Officials at Fort Gordon have confirmed that the Defense Department’s security audit is underway at the Army post.

“With the nationwide installation gate access and clearance review that is taking placing, we are going to wait and see what changes may take place before we continue,” spokesman Buz Yarnell said in response to an information request from The Augusta Chronicle.

According to Fort Gordon’s Web site and Defense Department records, an estimated 30,000 people representing at least 25 contractors and five government agencies have obtained a common-access card “based on tenure” from the government officer who represents its offices.

Requests are submitted to the Army post’s Directorate of Emergency Service, and according to defense rules, the fort’s Physical Security Office must run applicants through a FBI fingerprint check; submit a National Agency Check with Inquiries to the Office of Personnel Management; and confirm that a candidate requires access to multiple facilities and networks on a recurring basis for a period of at least six months.

If all criteria are met, contractors and subcontractors may be awarded common-access cards for up to three years, enabling long-term visitors to enter Fort Gordon at any of its five security gates, “simply by flashing their badges,” said Mark Wright, Defense Department spokesman. “My CAC card alone will get me on pretty much any base I want, unless it is tightly controlled,” Wright said. “I can go to the gas station or to a fast-food restaurant, but if I want to get into a building that contains highly classified information, I’ll be stopped and asked for additional identification.”

Wright said each building on a military post has different levels of security and some he said require certain types of clearance.

“If you are a fairly high-ranking individual or hired for a specific, classified process you must get approved for a security clearance and receive a badge verifying that clearance before you can gain access to a secured area,” he said.

Although Alexis was approved for a security clearance, defense officials say he shot his way into the building where the shooting took place.

Wright said being approved for a security clearance is a “fairly thorough process” that on top of the same background procedures required for common-access cards, includes a review of all police, employer and school records dating back five years.

Yet, despite these safeguards, a person permitted to enter highly-secured areas has passed through the layers of protection at a U.S. base twice in four years and opened fire, destroying the sense of security at the government facilities that embody the most powerful military in the world.

Simon Brody, the communications director for the National Association of Government Contractors, a Washington, D.C.-based trade organization, said the problem lies in oversight, specifically among the government representatives, who issue common-access cards.

“There are not enough contracting officers,” said Brody, adding that a lack of accountability is a “constant theme” in the contracting industry.

Defense Department records show that in the third quarter of fiscal year 2012, it took an average of 34 days to investigate and approve security clearances, the type of pass Alexis had. Experts say the process should take at least three months to complete.

“The entire system needs to be redesigned or we need to at least acknowledge that a lot of our contracting officers and agency officials are just not doing enough to make sure everything is being done properly.”

According to the American Forces Press Service, the Pentagon has recommended a couple changes to its security procedures, such as including all available police documents in background screenings and assigning management responsibilities exclusively to executive officers.

“The systems are not working,” Brody said. “We can overhaul it, call it something new, but what it really comes down to is there are not enough people monitoring it.”

Corder said an overhaul of the common-access-card system, which involves a standard background check for all federal agencies and an application, is unnecessary.

“It just needs to be used to a higher standard,” he said.

Prior to the common-access card, every base had its own system, operated by local, proprietary vendors, Corder said. Now, there is one personal identity badge that’s valid at all government agencies, which Corder said is good for areas such as Augusta, home to four different military branches and the National Security Agency at Fort Gordon, and the Department of Energy’s Savannah River Site in South Carolina.

If an emergency arises or a person is believed to be tampering with the system, the universal system, if used right, could detect and stop a bad guy, especially at military installations, which experts believe are less vulnerable to an attack than other agencies.

“If the system is used properly,” Corder said, “we’d be in a lot better shape than we have ever been.”